[Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes

Thanks for the bug report.

This should have been opened against net-snmp, and not nagios-plugins, right? I'm reassigning it to the proper package.

It seems to me that it's a valid bug, but it would be great to have a more detailed reproducer. I tried editing /etc/ssl/openssl.cnf and extend the "usr_cert" extension's "nsComment" field to a string that is really long. Then, I generated a self-signed x509 certificate using the "usr_cert" extension:

# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -extensions usr_cert

Then I edited /etc/snmp/snmpd.conf and included a "localCert" parameter there:

[snmp] localCert /usr/local/share/ca-certificates/cert.crt

Finally, restarting the snmpd.service doesn't seem to trigger the bug. I wonder what I'm doing wrong here... Pointers and advices are appreciated.

Thanks.

Launchpad always seems to get the package wrong, it's odd.

To make net-snmp crash:

- Turn debugging on (the crashing happens when dumping the certificate as part of debug logging).
- Include a cert with an extension that, when printed, is longer than 512 bytes.
- The cert I was using is an EV certificate issued by Globalsign, the certificate transparency section is really large.

I think (need to check) that nsComment isn't technically an extension, and so won't be printed by net-snmp's certificate dump code.

Another way to force the bug is reduce SNMP_MAXBUF_SMALL to something tiny, like 1 byte. It will crash on any extension.

https://github.com/net-snmp/net-snmp/blob/V5-7-patches/snmplib/snmp_openssl.c#L482

This is the crash in an old branch that is unpatched:

https://github.com/net-snmp/net-snmp/blob/V5-7-patches/snmplib/snmp_openssl.c#L502

If the extension is too long, the _cert_get_extension_str_at() function returns NULL. This NULL is fed into strchr(), and boom.

The fix is in two parts - first, use a proper sized buffer that an extension can fit in, and if that's not enough, check str for NULL before trying to strchr() on it.

There were two attempts at a fix, one to stop the crash, and the second to fix the buffer length and stop the crash while also printing the name of the extension (but not value). Could potentially be confusing. Two fixes were developed at the same time.

I found the upstream bug for this issue:

https://github.com/net-snmp/net-snmp/issues/233

The fix landed in the upstream master and V5-9-patches branches [1], but the issue is still open lacking verification. The patch doesn't apply cleanly on version 5.8, the version currently in Focal, Groovy and Hirsute, so this is not a SRU "patch on a plate" scenario, at least not for the moment.

For Hirsute: I had a look at the past upstream release history and I think it's unlikely that we'll get 5.9.1 released in time. However we do have a patch ready for the version in Hirsute, so this should be an easy fix. Before proceeding I'd wait for the upstream issue to be closed as fixed, confirming that the patch works as expected. I poked the issue on GitHub.

[1] https://github.com/net-snmp/net-snmp/commit/bb30f8ee0075750fd3648a6bf3fab543f46152ed

Thanks, Paride.

I had also found the same bug yesterday, but I decided not to mark the bug as Triaged because I still cannot reproduce it.

As noted previously, I would like to be able to reproduce the issue before moving forward. This will prove useful if we have to SRU the patch.

I still could not successfully generate a TLS cert with an extension bigger than 512 bytes, but I haven't tried again after Graham's last comment.

diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index e0e6615f0..dd202f440 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -499,6 +499,8 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
         extension_name = OBJ_nid2sn(nid);
         buf_len = sizeof(buf);
         str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
+ if (!str)
+ continue;
         lf = strchr(str, '\n'); /* look for multiline strings */
         if (NULL != lf)
             *lf = '\0'; /* only log first line of multiline here */
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index 01d72afb2..e0e6615f0 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -300,7 +300,7 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int *len, int flags)

     if (!buf_ptr) {
         snmp_log(LOG_ERR,
- "not enough space or error in allocation for extenstion\n");
+ "not enough space or error in allocation for extension\n");
         BIO_vfree(bio);
         return NULL;
     }
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index dd202f440..7d6db6ae6 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -290,8 +290,11 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int *len, int flags)

     space = BIO_get_mem_data(bio, &data);
     if (buf && *buf) {
- if (*len < space)
- buf_ptr = NULL;
+ if (*len < space + 1) {
+ snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
+ BIO_vfree(bio);
+ return NULL;
+ }
         else
             buf_ptr = *buf;
     }
@@ -299,8 +302,7 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int *len, int flags)
         buf_ptr = calloc(1,space + 1);

     if (!buf_ptr) {
- snmp_log(LOG_ERR,
- "not enough space or error in allocation for extension\n");
+ snmp_log(LOG_ERR, "error in allocation for extension\n");
         BIO_vfree(bio);
         return NULL;
     }
@@ -479,7 +481,7 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
 {
     X509_EXTENSION *extension;
     const char *extension_name;
- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
+ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
     int i, num_extensions, buf_len, nid;

     if (NULL == ocert)
@@ -499,8 +501,11 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
         extension_name = OBJ_nid2sn(nid);
         buf_len = sizeof(buf);
         str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
- if (!str)
+ if (!str) {
+ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i,
+ extension_name));
             continue;
+ }
         lf = strchr(str, '\n'); /* look for multiline strings */
         if (NULL != lf)
             *lf = '\0'; /* only log first line of multiline here */
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index 7d6db6ae6..c092a007a 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -284,33 +284,30 @@ _cert_get_extensio...

Hi Sergio,

I did manage to reproduce the crash by lowering SNMP_MAXBUF_SMALL and rebuilding the package, as Graham suggested. I couldn't generate a certificate crashing snmpd with the default value of 512, but most likely I didn't manage to add a very long extension to the certs I generated.

In my previous comment I mentioned Focal. I think this is an Invalid bug in Focal, as Focal's snmp doesn't support TLS at all, see LP: 1880724. I'm going to change this bug tasks according to this.

Paride

Hi Paride,

Thanks for further investigating. I assumed that the crash was indeed reproducible by hacking the package, but I think it's important to get a reproducer that doesn't involve rebuilding anything if we're thinking about an SRU (for Groovy, for example).

In any case, I think it's possible to proceed with the upstream fix. I'll see if I have time later to look into this.

In theory, any Let's Encrypt certificate should cause this crash.

The serialised certificate transparency of the certificate at redwax.eu is 1577 bytes, three times higher than the 512 byte limit that triggers the crash.

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version : v1(0)
                    Log ID : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
                                37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
                    Timestamp : Jan 11 03:13:53.345 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:E3:F3:7C:A3:71:D1:57:DD:76:1E:01:
                                AA:61:7D:E2:39:6B:0F:2B:93:B3:3A:B2:90:8F:EE:D5:
                                04:92:12:BD:8B:02:21:00:D0:8C:15:42:F5:E7:6C:D0:
                                FC:B4:25:E2:57:5E:C1:EB:F8:7A:4A:06:5B:AD:4C:6E:
                                B0:25:96:45:DF:A9:97:41
                Signed Certificate Timestamp:
                    Version : v1(0)
                    Log ID : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Jan 11 03:13:53.322 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3E:CC:F8:39:7E:27:5F:20:D7:77:DC:75:
                                9D:D2:F2:C8:09:F4:86:1C:26:FF:76:DF:21:A0:BD:90:
                                8A:26:FA:59:02:20:75:69:90:93:B2:F4:76:BC:1A:D3:
                                63:B7:1C:D0:72:56:13:97:7D:37:B3:8B:E2:6E:8C:71:
                                1A:72:4D:7E:86:F4

Quick ping on this one.

Latest net-snmp with this fixed is https://github.com/net-snmp/net-snmp/releases/tag/v5.9.1.rc1.

Thanks for the heads-up Graham. Our team will be taking a look at it.

Thanks, Graham.

This issue impacts Hirsute and Impish.

For Impish, the best course of action here would be to wait for Debian to pick up this fix, which would then mean that Ubuntu would automatically pick it up as well. Given that Debian is in freeze right now, I don't know if the net-snmp maintainers there are planning to work on it anytime soon.

For Hirsute, we'd need to go through the SRU process. The first step here would be to come up with a reliable set of steps to reproduce this issue, which I haven't been able to do so far (I confess I haven't had the time to test your Let's Encrypt suggestion, though).

I will see if I can reproduce it locally and then start the SRU process. If you already have a detailed set of steps to reproduce the bug, please let me know. Thanks.

OK, finally I was able to trigger the bug locally using a self-signed cert. I am going to start writing the SRU template for it.

Thanks.

Same bug at RHEL is here: https://bugzilla.redhat.com/show_bug.cgi?id=1908718

Still waiting on the SRU team to address this. I will ping them today.

This bug was fixed in the package net-snmp - 5.9+dfsg-3ubuntu2

---------------
net-snmp (5.9+dfsg-3ubuntu2) impish; urgency=medium

  * Fix segmentation fault when certificate contains extension
    longer than 512 bytes (LP: #1912389)
    - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch:
      Skip certificate if loading fails.
    - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch:
      Make sure enough space is allocated for extensions longer than
      512 bytes.

 -- Sergio Durigan Junior <email address hidden> Tue, 25 May 2021 19:03:31 -0400

Hello Graham, or anyone else affected,

Accepted net-snmp into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/net-snmp/5.9+dfsg-3ubuntu1.21.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted net-snmp (5.9+dfsg-3ubuntu1.21.04.1) for hirsute have finished running.
The following regressions have been reported in tests triggered by the package:

asterisk/1:16.16.1~dfsg-1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/hirsute/update_excuses.html#net-snmp

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Performing the verification for Hirsute:

First, reproducing the bug with the version currently available:

# apt policy snmpd
snmpd:
  Installed: 5.9+dfsg-3ubuntu1
  Candidate: 5.9+dfsg-3ubuntu1
  Version table:
 *** 5.9+dfsg-3ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
        100 /var/lib/dpkg/status
# snmpd -DALL
...
9:cert:dump: 5: authorityKeyIdentifier = keyid:AC:D0:13:2A:98:58:02:02:D2:BA:E9:8A:0B:F3:5A:B8:BD:6C:BB:64
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)

Now, updating the package to the version available in -proposed and making sure that the bug is fixed:

# apt policy snmpd
snmpd:
  Installed: 5.9+dfsg-3ubuntu1.21.04.1
  Candidate: 5.9+dfsg-3ubuntu1.21.04.1
  Version table:
 *** 5.9+dfsg-3ubuntu1.21.04.1 500
        500 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     5.9+dfsg-3ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
# snmpd -DALL
trace: netsnmp_getaddrinfo(): system.c, 851:
dns:getaddrinfo: looking up "127.0.0.1" with hint ({ ... })
trace: netsnmp_sockaddr_in6_3(): transports/snmpIPv6BaseDomain.c, 314:
netsnmp_sockaddr_in6: failed to parse 127.0.0.1
Error opening specified endpoint "127.0.0.1"
Server Exiting with code 1
#

As can be seen, the segmentation fault doesn't happen anymore. Therefore, the bug has been fixed and the verification is complete.

This bug was fixed in the package net-snmp - 5.9+dfsg-3ubuntu1.21.04.1

---------------
net-snmp (5.9+dfsg-3ubuntu1.21.04.1) hirsute; urgency=medium

  * Fix segmentation fault when certificate contains extension
    longer than 512 bytes (LP: #1912389)
    - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch:
      Skip certificate if loading fails.
    - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch:
      Make sure enough space is allocated for extensions longer than
      512 bytes.

 -- Sergio Durigan Junior <email address hidden> Tue, 25 May 2021 19:09:11 -0400

The verification of the Stable Release Update for net-snmp has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.